Discussions

Back in the scripting language, we are very cautious with what user puts in. We have to validate the max length of the input so it won't cause buffer overflow. We have to remove suspicous characters to prevent system attacks.

Now in java web app, do we still need to do that?
What is the validation required specific for java web app to prevent this kind of attacks?

Yes, you should still do that. Just because you're using Java does not mean that the "normal attacks" are carried out by malicious HTML/JavaScript/VBScript "code." On the other hand, it does make it difficult to insert CGI code into the server, unless your server happens to support CGI...

I would say use as much JavaScript as you can to perform client side validation (format, length etc.), and only use server side validation if there is no way you can perform a client side validation. It saves you the network round trip, and also minimize your server side code.

A good persistence framework can really limit the kinds of cgi-style attacks you need to worry about. The classic CGI attack was to enter extraneous SQL code in the hopes of break database updates. Modern persistence frameworks like EJB, JDO or Hibernate automatically escape special characters in generated SQL calls, make this kind of attack very difficult.

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations technology projects - with its network of technology-specific websites, events and online magazines.